Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generated .htaccess in plugins folder breaks all plugins #4499

Closed
oparoz opened this issue Jan 11, 2014 · 17 comments
Closed

Generated .htaccess in plugins folder breaks all plugins #4499

oparoz opened this issue Jan 11, 2014 · 17 comments
Assignees
Labels
Bug For errors / faults / flaws.
Milestone

Comments

@oparoz
Copy link

oparoz commented Jan 11, 2014

When a new plugin is installed, an .htaccess file is created in the plugins folder with the following content.
<Files "*">
<IfModule mod_access.c>
Deny from all
</IfModule>
<IfModule !mod_access_compat>
<IfModule mod_authz_host.c>
Deny from all
</IfModule>
</IfModule>
<IfModule mod_access_compat>
Deny from all
</IfModule>
</Files>

This configuration completely breaks Piwik for us. Leaving the logs littered with messages like this:
Jan 11 00:55:44.367351 2014 [pid 95149:tid 34394546176 1.2.3.4:59467 AH01797: client denied by server configuration: /public_html/pro/plugins/Login/javascripts/login.js

We're using PHP-FPM 5.4 via FastCGI on Apache 2.4
Files are owned by the user. PHP is run as the user.

Keywords: htaccess, php-fpm

@oparoz
Copy link
Author

oparoz commented Jan 11, 2014

I've just activated the TreemapVisualization plugin and got a different .htaccess, which works.

<Files ~ ".(php|php4|php5|inc|tpl|in|twig)$">
<IfModule mod_access.c>
Deny from all
</IfModule>
<IfModule !mod_access_compat>
<IfModule mod_authz_host.c>
Deny from all
</IfModule>
</IfModule>
<IfModule mod_access_compat>
Deny from all
</IfModule>
</Files>
<Files ~ ".(test.php|gif|ico|jpg|png|svg|js|css|swf)$">
<IfModule mod_access.c>
Allow from all
</IfModule>
<IfModule !mod_access_compat>
<IfModule mod_authz_host.c>
Allow from all
</IfModule>
</IfModule>
<IfModule mod_access_compat>
Allow from all
</IfModule>
Satisfy any
</Files>

@mattab
Copy link
Member

mattab commented Jan 30, 2014

Thanks for the report!

I don't think we can easily fix this one, hopefully users experimenting the bug will find this ticket and know to delete the .htaccess causing problems.

@anonymous-matomo-user
Copy link

We have to do better here. I just installed the Security check plugin and when I did it installed the .htaccess file in the plugins directory that is in the OP.

That broke all the images across the entire thing and I spent an hour trying to figure out:

  1. Did the recent update to 2.2.0 break this?
  2. Did another developer tweak the apache settings to break this?
  3. Are the files messed up somehow?

Installing a plugin shouldn't break the entire rest of the site by installing a hidden file into a fairly random directory.

This is pretty bad.

STR:

  • cd $PIWIK_INSTALL_DIR/plugins
  • cat .htaccess
  • Install the number one plugin in the marketplace, SecurityInfo and then enable it.
  • cat .htaccess

@mattab
Copy link
Member

mattab commented May 13, 2014

The other day I stumbled upon this commit in phpbb: https://github.com/phpbb/phpbb/pull/2386/files#diff-f72a38c4bec79cc6ded3f8e435d6bd55L11

Maybe we could check out this one, and possibly how other popular open source projects have sorted their .htaccess so it works across all server configurations.

@mattab
Copy link
Member

mattab commented May 14, 2014

See related/possibly same issue #4941

@mattab
Copy link
Member

mattab commented May 14, 2014

Replying to mlissner:

We have to do better here. I just installed the Security check plugin and when I did it installed the .htaccess file in the plugins directory that is in the OP.

Are you sure it's the htaccess in OP, or maybe it created the htacess in: #4499 rather than ticket description?

@anonymous-matomo-user
Copy link

Replying to matt:

Are you sure it's the htaccess in OP, or maybe it created the htacess in: #4499 rather than ticket description?

Yeah, I'm sure. Just checked the server and it still has an .htaccess.bak file with the contents from the OP.

@mattab
Copy link
Member

mattab commented May 14, 2014

In 6e83e22: Refs #4499 #4941 Adding <IfModule !mod_authz_host.c> around the Satisfy any which may fix the issue.

To test run the following command in the piwik directory:

rm js/.htaccess plugins/.htaccess core/.htaccess libs/.htaccess vendor/.htaccess misc/user/.htaccess

(this deletes all current htaccess files)

Then visit the System check page
(this re-creates the .htaccess files)

Then browse Piwik -> is it working fine?

If not, check your error log and please paste error as a comment in the ticket.

@anonymous-matomo-user
Copy link

This seems to be related, in Piwik 2.2.3-b6, image files are not displayed (icons, etc) getting 500 errors instead.

Issue caused by .htaccess in plugins directory, section starting with

<Files ~ "\.(test\.php|gif|ico|jpg|png|svg|js|css|htm|html|swf)$">

Once that section is commented icons display correctly.

However, possibly a different issue, still get 500 error (see chrome console) with this file

/libs/jquery/themes/base/images/ui-bg_flat_75_ffffff_40x100.png 500 (Internal Server Error)

@mattab
Copy link
Member

mattab commented May 19, 2014

Issue caused by .htaccess in plugins directory, section starting with

<Files ~ "\.(test\.php|gif|ico|jpg|png|svg|js|css|htm|html|swf)$">

Once that section is commented icons display correctly.

Because it works on my dev, the demo, and many other servers so I'm trying to understand why not on yours and some others:

When this <Files> element is in your htaccess files, and you access piwik, does it log some errors in your server error log?

what is the error message?

maybe you do understand why this <Files> somehow creates error on your server?

we need more help from you guys to fix the issue properly, cheers :)

@mattab
Copy link
Member

mattab commented May 21, 2014

In 7183d21: Refs #4499 This should fix the issue with htaccess files being incorrect.
Todo: create Update file to re-create all htaccess files.

@mattab
Copy link
Member

mattab commented May 21, 2014

In 2e0b98d: Fixes #4499 Adding upgrade file to re-create all htaccess files with the correct values.

@anonymous-matomo-user
Copy link

Sorry, I did not have mail notification on, just noticed your post.

Unfortunately I don't have access to the full server log, I do have a php error log and there were no errors there.

I don't know what that section of the htaccess causes problems - I didn't do much debugging, the problem could be anywhere in the 2nd half of the htaccess file after <Files> although the commands used are not used in any other application that I used.

I noticed a comment in the new code you posted related to new instruction in Apache 2.4. My server is on Apache 2.2.25 and I normally use Deny / Allow instructions in htaccess.

@mattab
Copy link
Member

mattab commented May 21, 2014

@samiam can you please try the latest beta version? this issue should be fixed after you upgrade, but we would like to know for sure that it is fixed for you. If not, we will try some more thing. See: http://piwik.org/faq/how-to-update/faq_159/

@anonymous-matomo-user
Copy link

Hmm, I thought it was but the page is not loading properly and I am getting errors in the browser dev panel

GET http://www.mydomain.com/plugins/Morpheus/images/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday net::ERR_TOO_MANY_REDIRECTS index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday:1
GET http://www.mydomain.com/plugins/Zeitgeist/images/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday net::ERR_TOO_MANY_REDIRECTS index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday:1

Also getting php errors

[21-May-2014 11:58:28 UTC] PHP Fatal error:  Call to undefined method Piwik\SettingsPiwik::rewriteMiscUserPathWithInstanceId() in /home/user/public_html/analytics/plugins/CoreAdminHome/CustomLogo.php on line 150
[21-May-2014 11:58:28 UTC] PHP Fatal error:  Call to undefined method Piwik\SettingsPiwik::rewriteTmpPathWithInstanceId() in /home/user/public_html/analytics/core/Twig.php on line 63

@anonymous-matomo-user
Copy link

I looked at this as bit more. As far as I can see the update to the latest beta nuked a .htaccess that I had in the Piwik root folder. After replacing this it seems to work fine.

@mattab
Copy link
Member

mattab commented May 23, 2014

In 01d9dd0: When deleting htaccess files, make sure we only delete those that we may have created.
Thank you @samiam for the report of bug, that's really helpful. We will not over-delete (often important) htaccess of more Piwik users!
refs #4499
Will be available in 2.3.0-rc2

@oparoz oparoz added this to the 2.3.0 - Piwik 2.3.0 milestone Jul 8, 2014
sabl0r pushed a commit to sabl0r/piwik that referenced this issue Sep 23, 2014
….c> around the Satisfy any which may fix the issue.

To test run the following command in the piwik directory:
```
rm js/.htaccess plugins/.htaccess core/.htaccess libs/.htaccess vendor/.htaccess  misc/user/.htaccess
```
(this deletes all current htaccess files)

Then visit the System check page
(this re-creates the .htaccess files)

Then browse Piwik -> is it working fine?

If not, check your error log and please paste error as a comment in the ticket.
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws.
Projects
None yet
Development

No branches or pull requests

3 participants